What Companies Need to Know About Changes to Colorado's Cybersecurity Law

New legislation passed by in Colorado and went into affect September 1

By David M. Stauss and Gregory P. Szewczyk

Published: 2018.09.16 07:55 PM

Entities doing business in Colorado will need to comply with new data security requirements as a result of legislation passed by the Colorado legislature that went into effect on September 1. The legislation was spearheaded by the Colorado Attorney General’s office to strengthen the office’s ability to investigate and take action against entities that do not take proper measures to protect the confidential information of Colorado residents.

The law also significantly amends Colorado’s data breach notification statute to make it one of the strictest in the country. Under the amended law, if a business suspects it experienced a security breach, it must conduct a prompt investigation to determine whether a compromise of “personal information” occurred. If so, it must notify affected Colorado residents within 30 days and provide specific information as to the nature of the breach, such as a description of the personal information that was compromised and the date of the breach. Notice also must be provided to the Colorado Attorney General’s office if the breach affected the personal information of 500 or more Colorado residents.

The new law drastically expands the type of information that will trigger a breach notification obligation if compromised. Specifically, the law defines “personal information” to mean a Colorado resident’s first name or first initial and last name in combination with any of the following data elements: social security number; student, military or passport identification number; driver’s license number or identification card number; medical information; health insurance identification number; or biometric data. The definition also includes a Colorado resident’s username or email address in combination with a password or security questions and answers that would permit access to an online account or a Colorado resident’s account number or credit or debit card number in combination with any required security code, access code, or password that would permit access to that account.

To ensure compliance with the law, covered entities should develop and implement: